The GDPR and mobile application protection

The GDPR and mobile application protection

In April 2016, the European Parliament and the European Council adopted the General Data Protection Regulation, also known as GDPR. It is intended to strengthen and unify the data protection for individuals inside the European Union. The regulation will come into effect in May 2018 and organizations across Europe are working hard to ensure their security policies comply with the new legislation. To facilitate that process, we will zoom in on the significance of the GDPR for the security of mobile applications.

The GDPR contains two articles that are relevant for mobile application protection.

Article 25 introduces the principle of data protection by design. It obligates data controllers and processors to consider privacy during the entire development cycle of new systems or processes that use personal data.

Article 32 stipulates that data controllers and processors need to implement sufficient technical and organizational measures to ensure the integrity of processing systems and processes. These measures should counter the risks associated with data processing, like accidental or unlawful destruction, loss, modification and unauthorized disclosure of or access to transmitted or stored personal data.

The organizations concerned have to be able to show that the security measures mentioned in article 25 and 32 are in place and that compliance with the GDPR is monitored. The failure to adhere to either of these articles can result in fines of up to 2% of the annual worldwide turnover or EU10 million (article 83).

Since mobile applications have become an integral part of data processing systems, it is important to know which measures can be taken to ensure the confidentiality of the processed data in the context of the GDPR. The most important vulnerability of mobile applications is that they can be reverse engineered in no time. This enables hackers to gain insight in the structure of the application, to extract information (encryption keys, API keys, etc.) that can be used to access private data and to tamper with the application to harvest user credentials. To counter reverse engineering and secure the users' data, the applications must be protected using a double approach.

The source code of mobile applications should be hardened using multiple obfuscation and encryption techniques. Code hardening ensures that the source code of mobile applications remains illegible to hackers that succeed in decompiling or disassembling them.

Runtime application self-protection (or RASP) mechanisms need to be integrated in mobile applications. These mechanisms protect applications from dynamic analysis and live attacks by monitoring their integrity and the integrity of the device on which they are running.

Protecting mobile applications is a crucial aspect of developing secure data processing systems. In addition, measures have to be taken to ensure the confidentiality of the data itself.

SSL pinning makes sure mobile applications are communicating with the intended server and protects data in transit from being intercepted by a man-in-the-middle attack.

White-box cryptography is a recommended solution for mobile applications that contain a data encryption key. The technology makes sure the key cannot be lifted from the application and used to decrypt stored or transmitted data.